knative · nak3 · Nov 19, 2019 · Nov 19, 2019 · Nov 19, 2019 · Nov 22, 2019
diff --git a/pkg/reconciler/ingress/resources/virtual_service.go b/pkg/reconciler/ingress/resources/virtual_service.go
@@ -20,7 +20,6 @@ import (
 	"crypto/md5"
 	"encoding/json"
 	"fmt"
-	"regexp"
 	"strings"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -282,7 +281,8 @@ func makeMatch(host string, pathRegExp string, gateways sets.String) v1alpha3.HT
 	match := v1alpha3.HTTPMatchRequest{
 		Gateways: gateways.List(),
 		Authority: &istiov1alpha1.StringMatch{
-			Regex: hostRegExp(host),
+			// Do not use Regex as Istio 1.4 or later has 100 bytes limitation.
+			Prefix: hostPrefix(host),
 		},
 	}
 	// Empty pathRegExp is considered match all path. We only need to
@@ -295,29 +295,16 @@ func makeMatch(host string, pathRegExp string, gateways sets.String) v1alpha3.HT
 	return match
 }
 
-// Should only match 1..65535, but for simplicity it matches 0-99999.
-const portMatch = `(?::\d{1,5})?`
-
-// hostRegExp returns an ECMAScript regular expression to match either host or host:<any port>
-// for clusterLocalHost, we will also match the prefixes.
-func hostRegExp(host string) string {
+// hostPrefix returns an host to match either host or host:<any port>.
+// For clusterLocalHost, it trims .svc.<local domain> from the host to match short host.
+func hostPrefix(host string) string {
 	localDomainSuffix := ".svc." + network.GetClusterDomainName()
 	if !strings.HasSuffix(host, localDomainSuffix) {
-		return exact(regexp.QuoteMeta(host) + portMatch)
+		return host
 	}
-	prefix := regexp.QuoteMeta(strings.TrimSuffix(host, localDomainSuffix))
-	clusterSuffix := regexp.QuoteMeta("." + network.GetClusterDomainName())
-	svcSuffix := regexp.QuoteMeta(".svc")
-	return exact(prefix + optional(svcSuffix+optional(clusterSuffix)) + portMatch)
-}
-
-func exact(regexp string) string {
-	return "^" + regexp + "$"
+	return strings.TrimSuffix(host, localDomainSuffix)
 }
 
-func optional(regexp string) string {
-	return "(" + regexp + ")?"
-}
 func getHosts(ia *v1alpha1.Ingress) sets.String {
 	hosts := sets.NewString()
 	for _, rule := range ia.Spec.Rules {

diff --git a/pkg/reconciler/ingress/resources/virtual_service_test.go b/pkg/reconciler/ingress/resources/virtual_service_test.go
@@ -225,7 +225,7 @@ func TestMakeMeshVirtualServiceSpec_CorrectRoutes(t *testing.T) {
 	expected := []v1alpha3.HTTPRoute{{
 		Match: []v1alpha3.HTTPMatchRequest{{
 			URI:       &istiov1alpha1.StringMatch{Regex: "^/pets/(.*?)?"},
-			Authority: &istiov1alpha1.StringMatch{Regex: `^test-route\.test-ns(\.svc(\.cluster\.local)?)?(?::\d{1,5})?$`},
+			Authority: &istiov1alpha1.StringMatch{Prefix: `test-route.test-ns`},
 			Gateways:  []string{"mesh"},
 		}},
 		Route: []v1alpha3.HTTPRouteDestination{{
@@ -351,11 +351,11 @@ func TestMakeIngressVirtualServiceSpec_CorrectRoutes(t *testing.T) {
 	expected := []v1alpha3.HTTPRoute{{
 		Match: []v1alpha3.HTTPMatchRequest{{
 			URI:       &istiov1alpha1.StringMatch{Regex: "^/pets/(.*?)?"},
-			Authority: &istiov1alpha1.StringMatch{Regex: `^domain\.com(?::\d{1,5})?$`},
+			Authority: &istiov1alpha1.StringMatch{Prefix: `domain.com`},
 			Gateways:  []string{"gateway.public"},
 		}, {
 			URI:       &istiov1alpha1.StringMatch{Regex: "^/pets/(.*?)?"},
-			Authority: &istiov1alpha1.StringMatch{Regex: `^test-route\.test-ns(\.svc(\.cluster\.local)?)?(?::\d{1,5})?$`},
+			Authority: &istiov1alpha1.StringMatch{Prefix: `test-route.test-ns`},
 			Gateways:  []string{"gateway.private"},
 		}},
 		Route: []v1alpha3.HTTPRouteDestination{{
@@ -388,7 +388,7 @@ func TestMakeIngressVirtualServiceSpec_CorrectRoutes(t *testing.T) {
 	}, {
 		Match: []v1alpha3.HTTPMatchRequest{{
 			URI:       &istiov1alpha1.StringMatch{Regex: "^/pets/(.*?)?"},
-			Authority: &istiov1alpha1.StringMatch{Regex: `^v1\.domain\.com(?::\d{1,5})?$`},
+			Authority: &istiov1alpha1.StringMatch{Prefix: `v1.domain.com`},
 			Gateways:  []string{},
 		}},
 		Route: []v1alpha3.HTTPRouteDestination{{
@@ -441,10 +441,10 @@ func TestMakeVirtualServiceRoute_Vanilla(t *testing.T) {
 	expected := v1alpha3.HTTPRoute{
 		Match: []v1alpha3.HTTPMatchRequest{{
 			Gateways:  []string{"gateway-1"},
-			Authority: &istiov1alpha1.StringMatch{Regex: `^a\.com(?::\d{1,5})?$`},
+			Authority: &istiov1alpha1.StringMatch{Prefix: `a.com`},
 		}, {
 			Gateways:  []string{"gateway-1"},
-			Authority: &istiov1alpha1.StringMatch{Regex: `^b\.org(?::\d{1,5})?$`},
+			Authority: &istiov1alpha1.StringMatch{Prefix: `b.org`},
 		}},
 		Route: []v1alpha3.HTTPRouteDestination{{
 			Destination: v1alpha3.Destination{
@@ -493,7 +493,7 @@ func TestMakeVirtualServiceRoute_TwoTargets(t *testing.T) {
 	expected := v1alpha3.HTTPRoute{
 		Match: []v1alpha3.HTTPMatchRequest{{
 			Gateways:  []string{"knative-testing/gateway-1"},
-			Authority: &istiov1alpha1.StringMatch{Regex: `^test\.org(?::\d{1,5})?$`},
+			Authority: &istiov1alpha1.StringMatch{Prefix: `test.org`},
 		}},
 		Route: []v1alpha3.HTTPRouteDestination{{
 			Destination: v1alpha3.Destination{

diff --git a/test/e2e-common.sh b/test/e2e-common.sh
@@ -48,7 +48,9 @@ function parse_flags() {
   case "$1" in
     --istio-version)
       [[ $2 =~ ^[0-9]+\.[0-9]+(\.[0-9]+|\-latest)$ ]] || abort "version format must be '[0-9].[0-9].[0-9]' or '[0-9].[0-9]-latest"
-      readonly ISTIO_VERSION=$2
+      # TODO: Set istio-1.4-latest for POC.
+      # readonly ISTIO_VERSION=$2
+      ISTIO_VERSION="1.4-latest"
       GATEWAY_SETUP=1
       return 2
       ;;
@@ -67,7 +69,8 @@ function parse_flags() {
       return 1
       ;;
     --no-mesh)
-      readonly MESH=0
+      # TODO: Enable mesh for test as issues/6058 only happens on Mesh env.
+      readonly MESH=1
       return 1
       ;;
     --https)
@@ -352,14 +355,15 @@ function test_setup() {
 
   echo ">> Creating test resources (test/config/)"
   ko apply ${KO_FLAGS} -f test/config/ || return 1
-  if (( MESH )); then
-    if [[ ${ISTIO_VERSION} =~ 1.3.* ]]; then
-      # TODO: Enable mTLS with Istio 1.3 once https://github.com/knative/serving/issues/5725 is identified.
-      continue
-    else
-      ko apply ${KO_FLAGS} -f test/config/mtls/ || return 1
-    fi
-  fi
+#  TODO: Disable mTLS on 1.4 for PoC
+#  if (( MESH )); then
+#    if [[ ${ISTIO_VERSION} =~ 1.3.* ]]; then
+#      # TODO: Enable mTLS with Istio 1.3 once https://github.com/knative/serving/issues/5725 is identified.
+#      continue
+#    else
+#      ko apply ${KO_FLAGS} -f test/config/mtls/ || return 1
+#    fi
+#  fi
   ${REPO_ROOT_DIR}/test/upload-test-images.sh || return 1
   wait_until_pods_running knative-serving || return 1
   if [[ -n "${ISTIO_VERSION}" ]]; then

diff --git a/test/e2e/istio/probing_test.go b/test/e2e/istio/probing_test.go
@@ -101,6 +101,7 @@ func TestIstioProbing(t *testing.T) {
 		Mode:              v1alpha3.TLSModeSimple,
 		PrivateKey:        "/etc/istio/ingressgateway-certs/tls.key",
 		ServerCertificate: "/etc/istio/ingressgateway-certs/tls.crt",
+		SubjectAltNames:   []string{},
 	}
 
 	cases := []struct {

diff --git a/third_party/istio-1.4-latest b/third_party/istio-1.4-latest
@@ -0,0 +1 @@
+istio-1.4.0
diff --git a/third_party/istio-1.4.0/README.md b/third_party/istio-1.4.0/README.md
@@ -0,0 +1,7 @@
+The istio\*.yaml files are generated by running
+
+```
+./download-istio.sh
+```
+
+Using the Helm v2.14.1
diff --git a/third_party/istio-1.4.0/download-istio.sh b/third_party/istio-1.4.0/download-istio.sh
@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+
+# Download and unpack Istio
+ISTIO_VERSION=1.4.0
+DOWNLOAD_URL=https://github.com/istio/istio/releases/download/${ISTIO_VERSION}/istio-${ISTIO_VERSION}-linux.tar.gz
+
+wget --no-check-certificate $DOWNLOAD_URL
+if [ $? != 0 ]; then
+  echo "Failed to download istio package"
+  exit 1
+fi
+tar xzf istio-${ISTIO_VERSION}-linux.tar.gz
+
+( # subshell in downloaded directory
+cd istio-${ISTIO_VERSION} || exit
+
+# Create CRDs template
+helm template --namespace=istio-system \
+  install/kubernetes/helm/istio-init \
+  `# Removing trailing whitespaces to make automation happy` \
+  | sed 's/[ \t]*$//' \
+  > ../istio-crds.yaml
+
+# Create a custom cluster local gateway, based on the Istio custom-gateway template.
+helm template --namespace=istio-system install/kubernetes/helm/istio --values ../values-extras.yaml \
+  `# Removing trailing whitespaces to make automation happy` \
+  | sed 's/[ \t]*$//' \
+  > ../istio-knative-extras.yaml
+
+# A template with sidecar injection enabled.
+helm template --namespace=istio-system install/kubernetes/helm/istio --values ../values.yaml \
+  `# Removing trailing whitespaces to make automation happy` \
+  | sed 's/[ \t]*$//' \
+  > ../istio.yaml
+
+# A lighter template, with just pilot/gateway.
+# Based on install/kubernetes/helm/istio/values-istio-minimal.yaml
+helm template --namespace=istio-system install/kubernetes/helm/istio --values ../values-lean.yaml \
+  `# Removing trailing whitespaces to make automation happy` \
+  | sed 's/[ \t]*$//' \
+  > ../istio-lean.yaml
+)
+
+# Clean up.
+rm -rf istio-${ISTIO_VERSION}
+rm istio-${ISTIO_VERSION}-linux.tar.gz
+
+# Add in the `istio-system` namespace to reduce number of commands.
+patch istio-crds.yaml namespace.yaml.patch
+patch istio.yaml namespace.yaml.patch
+patch istio-lean.yaml namespace.yaml.patch
+
+# Increase termination drain duration seconds.
+patch -l istio.yaml drain-seconds.yaml.patch
diff --git a/third_party/istio-1.4.0/drain-seconds.yaml.patch b/third_party/istio-1.4.0/drain-seconds.yaml.patch
@@ -0,0 +1,5 @@
+654a655,658
+>         # PATCH #2: Increase termination drain duration.
+>         - name: TERMINATION_DRAIN_DURATION_SECONDS
+>           value: "20"
+>         # PATCH #2 ends.